webrtcbin and AES-256 encryption

Laszlo Molnar laszlo.molnar at nixs.com
Fri Nov 24 17:21:41 UTC 2023 

I've started to get into the implementation but this will be the first time
I touch GStreamer-related code so I would like to ask for some
directions/suggestions.
I've found the 'GstDtlsSrtpCipher' in 'gstdtlsconnection.h' and added an
AES256 field:

typedef enum {
    GST_DTLS_SRTP_CIPHER_AES_128_ICM = 1,
    GST_DTLS_SRTP_CIPHER_AEAD_AES_256_GCM = 8
} GstDtlsSrtpCipher;

I've chosen AEAD AES-256 GCM because that was the only supported AES-256 in
openssl/srtp.h:
/* AEAD SRTP protection profiles from RFC 7714 */
# define SRTP_AEAD_AES_128_GCM  0x0007
# define SRTP_AEAD_AES_256_GCM  0x0008

I added a new field to '_GstDtlsAgentPrivate' in 'gstdtlsagent.c' as well
that helps deciding about the AES type to use:

struct _GstDtlsAgentPrivate
{
  SSL_CTX *ssl_context;
  GstDtlsCertificate *certificate;
  uint8_t type; // new field
};

I have several questions here:
- will this addition to _GstDtlsAgentPrivate cause any problems
(aligning/padding/etc)?
- where should I add some enum or #define value so it is better than
putting 0/1 into it?
- I found this:
enum
{
  PROP_0,
  PROP_CERTIFICATE,
  NUM_PROPERTIES
};

static GParamSpec *properties[NUM_PROPERTIES];

and that it is used to set the value(?) of the Certificate part of
_GstDtlsAgentPrivate. Should I add type into it and set an initial value
and add it to gst_dtls_agent_set_property() so I can set the value of type
from webrtcbin? Or am I completely off track and it's not used for that?

Also, as I see, the AEAD AES-256 GCM contains all the auth stuff but the
AES-128 ICM doesn't. Will I need to do additional coding to make the
AES-256 work or OpenSSL handles this part under the hood?

I'll be offline for two days but will continue investigating/working on the
topic next week.

Thanks!
Laszlo Molnar


On Mon, Nov 13, 2023 at 10:13 AM Laszlo Molnar <laszlo.molnar at nixs.com>
wrote:

> Hi Olivier,
>
> Thank you for your help! I'll get familiar with the code base and if I
> feel like I'm comfortable with changing it, I'll do the work. I may get
> back with more questions as well. By the way, there is an unfinished
> sentence in your answer. Is something missing or was it just a typo?
>
> Laszlo
>
> On Fri, Nov 10, 2023 at 8:37 PM Olivier Crête <olivier.crete at collabora.com>
> wrote:
>
>> Hi,
>>
>> To do this, you need to modify the dtls plugin to give the right profiles
>> to OpenSSL, look at the call to SSL_CTX_set_tlsext_use_srtp(), then search
>> for the enum that reads it out to the SRTP elements (which already support
>> AES-256). You
>>
>> And then we'd need to add an API to webrtcbin to select it.
>>
>> Olivier
>>
>> On Fri, 2023-11-10 at 18:11 +0100, Laszlo Molnar via gstreamer-devel
>> wrote:
>>
>> Hi,
>>
>> I want to achieve AES-256 encryption with webrtcbin (so webrtcbin uses
>> AES-256-encoded SRTP packets). As I see from the source code (correct me if
>> I'm wrong) webrtcbin uses DTLS and that only has AES-128. Is it possible to
>> change this? To make a pipeline that uses an AES-256 encoder and disable
>> webrtcbin's DTLS encoding? Any solution would work as long as it achieves
>> AES-256.
>>
>> Thanks!
>>
>>
>> --
>>
>> Olivier Crêteolivier.crete at collabora.com
>> Multimedia Lead
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/gstreamer-devel/attachments/20231124/584f2bbb/attachment.htm>

More information about the gstreamer-devel mailing list